New Malware Uses Fan Noise to Steal Data from Air Gapped Computers

New Malware Uses Fan Noise to Steal Data from Air Gapped Computers

One of the safest PC setups you can have is an air gap system. In this system, there’s literally a gap of air between your PC and the outside world.

But a new malware technology has found an innovative way to steal data from air gapped computers. That malware looks at the noise coming from a computer’s fan speed.

Sounds crazy? It’s true. And it’s been successfully used to steal data from computers up to 4 meters away.

How Do You Steal Data from an Air Gapped Computer?

Malware uses the noise emanated by a computer’s fan speed to relay information to a nearby recording device.

This attack method hasn’t actually been spotted in the wild. However, researchers have proved that it’s possible in a test setting.

Prior to this method, the best way to steal data from an air gapped computer was to use low frequency sounds sent through the computer’s speakers to send data to a nearby microphone. Researchers proved such an attack was possible in a research setting.

An air gapped computer, by the way, is a computer where there’s literally a gap of air between the system and the outside world. The computer is not connected to the internet using wires and all data must be transferred to the system using external devices.

After that attack method mentioned above was discovered, PC security experts began removing speakers from air gapped computers to mitigate the security risk.

Today, those PC security experts are facing another innovative attack method that involves fiddling with your fan speed to steal data. Here’s how that attack works.

How Do You Steal Data Using Fan Speed?

Four researchers from Israel’s Ben-Gurion University created a piece of malware called Fansmitter. That malware works in a similar way to the scenario mentioned above, where noise data is transferred to a nearby microphone.

fansmitter 2

The only difference is that instead of speakers, Fansmitter uses a computer’s fans to send data from the infected host to a listening microphone.

The computer’s fans can be sent to work at two different speeds. One fan speed corresponds to a binary “0” while the other corresponds to a binary “1”.

The microphone listens to the fan speed, interprets the binary information, and steals data without a physical or virtual connection to the PC.

Fansmitter can be set to work with multiple fans on a PC, including any chassis-mounted fans or a CPU/GPU fan. It’s proven effective up to 4 meters away. Researchers stated that four meters is a reliable distance for a smartphone or microphone left behind by attackers to pick up sounds.

It’s Incredibly Slow

You’re not going to transfer gigabytes of data using Fansmitter anytime soon.

In fact, researchers have demonstrated that the attack method can only steal between 3 bits and 15 bits of data per minute. That bit rate declines the further you go away from the computer. When switching between frequencies of 1000 RPM for 0 and 1600 RPM for 1, researchers stole data at a crawling 3 bits per minute.

fansmitter 3

Stealing data is faster when you can spin the fans at high speeds. Of course, this also increases the likelihood of being caught. People are going to notice when their fan is fluctuating between 2000 and 4000RPM at a rapid pace.

You can view the white paper explaining the technology here.

Should You Be Worried?

Researchers also suggested that it was possible to steal data by looking at fan frequency data as well as coil whine (which is the noise caused by the interactions between PC components).

Ultimately, air gapped computers have long been thought to be the last bastion of PC security. If air gapped computers no longer protect you from theft, then what are you supposed to do for PC security?

The truth is: these attacks steal data at an incredibly slow rate. They have only ever been demonstrated in a research setting and have not been spotted in the wild.

So no, you shouldn’t be worried. Unless your computer is holding nuclear secrets.

No Comments

Sorry, the comment form is closed at this time.